Proofpoint [2] [3] [4] [7], a cybersecurity company [3], has recently discovered a new malware strain called ZenRAT. This modular remote access trojan (RAT) specifically targets Windows computers and disguises itself as a fake installation package of Bitwarden, a popular password manager [2] [3] [6] [7].
Description
Hackers have been using a fake Bitwarden download page to target Windows users with ZenRAT [1]. The malware steals information from compromised systems, including CPU and GPU names [7], operating system version [3] [5] [7], browser passwords [7], and installed applications [7]. It is still unclear how the malware is being distributed [1], but it has been delivered through SEO poisoning [1], adware bundles [1], or email in the past [1].
The fake site closely resembles the real Bitwarden website and only displays the fake download if accessed from a Windows host [1]. Non-Windows users are redirected to a legitimate website [1]. The payload is downloaded from a domain called crazygamesis[. [1]]com. The trojanized copy of Bitwarden’s installation package includes the ZenRAT .NET executable [1].
ZenRAT collects information about the host system and sends it to its command-and-control server [1] [6]. The malware also runs anti-sandbox and anti-VM checks to ensure it operates safely [2].
Conclusion
To protect against ZenRAT and similar threats, users are advised to only download software from trusted sources and be cautious of ads in search engine results [1]. It is crucial to stay vigilant and implement strong cybersecurity practices to mitigate the risks posed by malware attacks.
References
[1] https://securityboulevard.com/2023/09/zenrat-targets-windows-users-with-fake-bitwarden-site/
[2] https://www.hackread.com/fake-bitwarden-password-manager-zenrat/
[3] https://freemindtronic.com/zenrat-malware-bitwarden/
[4] https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm
[5] https://www.infosecurity-magazine.com/news/zenrat-malware-bitwarden/
[6] https://isp.page/news/new-malware-strain-zenrat-disguised-as-bitwarden-password-manager-targets-windows-users/
[7] https://www.aroged.com/2023/09/27/new-zenrat-malware-discovered-in-fake-version-of-popular-password-manager/
